Credit card details from almost half of all South Koreans may have been
exposed by an employee at a credit ratings firm

The personal data of at least 20 million bank and credit card users in South Korea has been leaked, in one of the country's biggest ever breaches.

The data was stolen by a computer contractor working for a company called the Korea Credit Bureau, which produces personal credit ratings.

According to the Financial Supervisory Service (FSS), the contractor stole the data from the internal servers of three credit card firms – KB Financial Group, NongHyup Financial Group and Lotte Group – and then sold the data to phone marketing companies.

The employee in question has been arrested, along with managers at the phone marketing companies. Regulators have also launched investigations into security measures at the affected firms, and the credit card firms have said they will cover any financial losses.

All 27 executives from KB Financial's banking and credit card units and its holding firm have reportedly offered to resign, as well as nine executives from Lotte Group and the head of NongHyup's card business.

Commenting on the news, Matt Middleton-Leal, regional director for the UK and Ireland at security firm CyberArk, said that the sheer scale of the data breach is extremely alarming.

“The fact that the individual was reportedly able to access and then sell on vast quantities of customer information is very worrying. It should not be the case that an employee – and in this case a temporary consultant – is able to access and then download sensitive data without this suspicious activity being flagged up," he said.

“It would seem that this case is a classic example of the ‘insider threat’ – that is, the malicious abuse of privileged access. A breach of customer data can spell disaster for a business, due to the loss of customer confidence, revenue and the possibility of severe financial penalties if they are found to have been negligent in the protection of this information.”

Many major firms in South Korea have seen customers' data leaked in recent years, either by hacking attacks or their own employees.

An employee of Citibank Korea was arrested last month for stealing the personal data of 34,000 customers and, in 2011, Seoul's top games developer Nexon saw the personal information of 13 million users of its popular online game MapleStory stolen by hackers.